Cyber Risk News, Vol. 203 – August 22, 2018

We bring to your attention a sampling of recent media stories involving cyber risk & privacy liability. Among the stories we’re highlighting this month: final settlement in the Anthem breach, more class actions, phishing, a coordinated international cyber heist using ATMs, business interruption, and more. Also, don’t miss the items below in ORANGE.

LONDON REGISTRATION IS OPEN
Join us at NetDiligence® Cyber Risk Summit London—Tuesday, 6 November, 2018—to connect with experts in cyber risk and privacy liability and learn about the most relevant cyber threats facing Europe today. Early Bird pricing is available. Click here to learn more or register!

PUBLIC ENTITY

258K People At Risk in Adams County of Wisconsin Data Breach

The Adams County government said in an August 10 release that the breach involved PII, PHI, and tax information from the county’s Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, Health and Human Services (HHS), Child Support, and Sheriff’s Office. Click to read entire article.

Nashville lists Social Security numbers in some public records NASHVILLE, Tenn.

A Tennessee city has published confidential information including Social Security numbers in some publicly available court records. Click to read entire article.

HEALTHCARE

Judge Gives Final OK to $115M Anthem Data Breach Settlement

US District Judge Lucy Koh has given final approval to a $115 million settlement that ends further claims against Anthem over its 2015 data breach that exposed personal information on 79 million people. Click to read entire article.

Augusta University Health Exposed 417K Records Due To Phishing Attacks

Reportedly, the Augusta University Health suffered data breach due to multiple phishing attacks over the year. Regretfully, the breach has exposed around 417,000 records. Click to read entire article.

InterAct of Michigan Phishing Attack Exposes PHI on 1,290 People

In a statement on its website, InterAct explained that it became aware on June 8 that an unauthorized third party accessed a company email account. The mental health and substance abuse treatment provider determined on July 30 that the email account contained clients’ names and Social Security numbers, and in some cases dates of birth, treatment history, and prescription data. Click to read entire article.

Second data breach at UnityPoint Health added to class action lawsuit

A class-action lawsuit against UnityPoint Health over a data breach reported this spring was amended Monday to cover a second breach revealed last month. Four patients are named in the updated lawsuit. They are among 1.4 million people, including 76,000 in Wisconsin, who were notified July 30 that their names, addresses and medical information — and, for some, driver’s license, Social Security and payment card or bank account numbers — may have been compromised. Click to read entire article.

FINANCIAL SERVICES

Data of Thousands of Card Applicants Exposed

Credit card issuer TCM Bank, which works with some 750 small and community U.S. financial institutions, including credit unions, exposed the personal information of thousands of individuals who applied for accounts. Click to read entire article.

Tax Prep Co. Hit With Class Suit Over Data Breach

A Florida customer of cloud-based human resources and tax preparation company ComplyRight Inc. filed a proposed class suit Wednesday in federal court, saying the company failed to adequately maintain its security systems to prevent a breach this year that compromised the information of thousands of customers. Click to read entire article.

Indian Bank Hit in $13.5M Cyberheist After FBI ATM Cashout Warning

On Sunday, Aug. 12, KrebsOnSecurity carried an exclusive: The FBI was warning banks about an imminent “ATM cashout” scheme about to unfold across the globe, thanks to a data breach at an unknown financial institution. On Aug. 14, a bank in India disclosed hackers had broken into its servers, stealing nearly $2 million in fraudulent bank transfers and $11.5 million unauthorized ATM withdrawals from cash machines in more than two dozen countries. Click to read entire article.

AIRLINE/TRAVEL

Lawsuits target Delta and vendor for cybersecurity breach

In the wake of a massive data breach involving chat software on Delta Air Lines’ website, potential class-action lawsuits point a finger at the airline for putting its customers’ information at risk. Click to read entire article.

HIGHER EDUCATION

Eastern Maine Community College Data Breach Exposed 42000 Records

The Eastern Maine Community College suffered a malware attack targeting several computers. As a result, around 42,000 records of former students and employees were exposed in the EMCC data breach. Click to read entire article.

Yale University discloses old school data breach

The data breach was discovered a decade too late to do anything about it. …According to the university, 119,000 individuals were affected. Click to read entire article.

BUSINESS INTERRUPTION

PokerStars Admits it Has Suffered DDoS Attacks

Last week, PokerStars issued a tweet that stated they had suffered site outages and had canceled tournaments due to the “series of DDoS attacks” that had targeted their offerings. Click to read entire article.

Reddit has suffered a ‘security incident’ in the form of a sophisticated hack that has exposed the personal data of some users. …Cyber crooks managed to swipe user data that included usernames, email addresses and hashed passwords.Click to read entire article.

—BUSINESS INTERRUPTION—

Computer virus cripples top Apple supplier TSMC

Taiwan-based chip manufacturer TSMC warned that the infection, which was eventually contained, will delay shipments of its products and could wipe as much as $171 million off its revenue. Click to read entire article.

How did the TimeHop data breach happen?

Compromise of an employee’s credentials, lack of multi-factor authentication, and weak insider threat analysis all played a factor in the recent TimeHop data breach in which 21 million user accounts were compromised. Click to read entire article.

LATIN AMERICA

Brazilian prosecutors sue Banco Inter over data breach

Brazilian public prosecutors have filed a civil public action against the country’s first digital-only bank over a breach affecting nearly 25,000 consumers. Click to read entire article.

EUROPE / UK

Dixons Carphone admits 10 million customers hit by data breach

Technology retail giant Dixons Carphone has admitted that the massive customer data breach that occurred last year involved far more people than was originally thought. Click to read entire article.

The NHS was involved in a data breach that saw nearly 10,000 documents either stolen or missing from 68 hospitals last year. The breach, chronicled in a new research report by leading think tank Parliament Street, comprises 9,132 cases of stolen or missing documents. Click to read entire article.

Engineering group RCR Tomlinson took three months to notify the Office of the Australian Information Commissioner that employees’ personal data, including bank account numbers and credit cards, had been accessed in an internet scam despite new laws requiring companies to inform the regulator in “a timely manner.” Click to read entire article.

ASIA / PACIFIC

Two major Thai banks hacked, personal details from over 120,000 customers stolen

The Bank of Thailand (BOT) has confirmed that hackers have stolen information of more than 120,000 customers in a massive data breach into two major commercial banks. Click to read entire article.